Pages

Monday, March 16, 2015

Beating The Open-Source-Is-More-Secure Straw-Man

Given all of the serious security flaws in open source software lately, such as OpenSSL, it has been frequent subject of posters to use the open source hack-du-jour as a counterexample to a purported claim that "open source software is more secure" than proprietary software. And I just saw it come up again the other day:

Thank you OpenSSL for the one word answer when people claim open source software is secure.
— Ryan Lackey (@octal) March 15, 2015

The problem with these statements is it seems to be a rampant straw-man. When I see them come up, I wonder, "Who in the world is actually making the positive claim that open source software is, in fact, more secure than proprietary software?" Is someone actually making these claims that are being "countered"? On what basis could they even make such a claim?

So, I started to search for specific examples of specific individuals making this specific claim that "open source" is "more secure" and I found it more common to claim someone believes this than to cite actual examples.

Much of the genesis appears to be an extrapolation of Eric S Raymond's famous assertion that, "given enough eyeballs, all bugs are shallow", which certainly does not seem to hold up in the general software defect case let alone security defects. I'm not sure how many actually believe that this is true in general these days, or even whether it is common for the average developer to believe that it leads to better security. It certainly does not seem to be a common "myth" that is promulgated by promoters from my searching - it's more the detractors that promote it as a myth.

Anyone know who the main proponents of this "myth" are these days? Why aren't they called out in articles?